Added check for negative offset in cid spill to prevent infinite loops

author Doug Bailey <dbailey@digium.com>

Thu, 10 May 2007 21:25:05 +0000 (21:25 +0000)

committer Doug Bailey <dbailey@digium.com>

Thu, 10 May 2007 21:25:05 +0000 (21:25 +0000)
author Doug Bailey <dbailey@digium.com>
Thu, 10 May 2007 21:25:05 +0000 (21:25 +0000)
committer Doug Bailey <dbailey@digium.com>
Thu, 10 May 2007 21:25:05 +0000 (21:25 +0000)
diff --git a/main/callerid.c b/main/callerid.c

index 002666aa930cb95db0da06407cbcac7916188982..74b8d9200a41c7e0d4a14b4d3b12e78380b1dbda 100644 (file)
--- a/main/callerid.c
+++ b/main/callerid.c
@@ -636,6 +636,12 @@ int callerid_feed(struct callerid_state *cid, unsigned char *ubuf, int len, int
                                                 default:
                                                         ast_log(LOG_NOTICE, "Unknown IE %d\n", cid->rawdata[x - 1]);
                                                 }
+                                               if(0 > cid->rawdata[x]){        /* Negative offset in the CID Spill */
+                                                       ast_log(LOG_NOTICE, "IE %d has bad field length of %d at offset %d\n", cid->rawdata[x-1], cid->rawdata[x], x);
+                                                       /* Try again */
+                                                       cid->sawflag = 0;
+                                                       break;  /* Exit the loop */
+                                               }
                                                 x += cid->rawdata[x];
                                                 x++;
                                         }
author	Doug Bailey <dbailey@digium.com>
	Thu, 10 May 2007 21:25:05 +0000 (21:25 +0000)
committer	Doug Bailey <dbailey@digium.com>
	Thu, 10 May 2007 21:25:05 +0000 (21:25 +0000)